Posted
by
Soulskillon Friday August 17, 2012 @02:18PM
from the tilting-at-windmills dept.

An anonymous reader writes "A new spear-phishing attack targeting a number of specific companies in a few industries, including the energy sector, has been spotted by several security companies. Dubbed 'Shamoon' due to a string of a folder name within the malware executable, the attack ends up with delivering destructive malware on the targeted computers that ends up making them unusable. The interesting part of this malware is that instead of staying under the radar and collecting information, the malware was designed to overwrite and wipe the files and the master boot record of the computer."

We're moving from cyber espnage to cyber sabotage. The summary doesn't say what countries Re targeted, but it will be interesting to see if this is government sponsored against the middle east, government (china) sponsored against US, or private malicious. A brave new world!

And that's a huge problem with cyber: attribution. Even if an attack appears to be coming from a particular source, that doesn't mean it originated from and/or was ordered by that source. In fact, intentional misattribution or denial of attribution is yet another element of cyber operations. From a US perspective, we still don't have a comprehensive set of rules of engagement for cyber, or even really have consistent, well-understood definitions for what constitutes "cyber war" (though there's certainly a lot of hype...)

Some relevant recent articles:

---

Cyber Command struggles to define its place on a shifting battlefield - Nextgov

The U.S. Cyber Command, which directs network offensive operations for the Pentagon and protects its networks, is becoming more open about the military’s capabilities in cyberspace. Recently, the Defense Department was forced to show part of its hand when leaks surfaced about U.S.-manufactured cyber weapons and cyber espionage missions. Still, since 2011, the department has told the world it stands prepared to protect U.S. national security interests through cyberspace maneuvers.

Pentagon warfighters have for years been asking for a cybercombat policy, rules of engagement, funding and a less-fragmented chain of authority. But those needs remain unfulfilled as bureaucrats, lawmakers and top Defense Department civilian officials thrash about in a pit of indecision while an international complex of digital threats continues to emerge.

Despite the ongoing concern about the escalating pace of cyber attacks, a new set of standing rules of engagement for cyber operations — policy guidelines that would specify how the Pentagon would respond to different types of cyber attacks — is being delayed by a debate over the role of the U.S. military in defending non-military networks, sources said.

The Pentagon is rewriting the book on how it defends against and possibly responds to cyberattacks against the United States, the top uniformed officer in charge of the effort told Congress on Tuesday.

And that's a huge problem with cyber: attribution. Even if an attack appears to be coming from a particular source, that doesn't mean it originated from and/or was ordered by that source. In fact, intentional misattribution or denial of attribution is yet another element of cyber operations. From a US perspective, we still don't have a comprehensive set of rules of engagement for cyber, or even really have consistent, well-understood definitions for what constitutes "cyber war" (though there's certainly a lot of hype...)

Attribution is a problem, but it certainly isn't a new one. The King got poisoned? Well hell, it could have been spies from any one of our enemies! Or even an ally that wanted us to hate our enemies more! Or even a friend that wanted us to turn on an ally! To the horses! Avenge the King!

But seriously, covert and clandestine operations have been around basically since the beginning of state conflict. "Cyber war" is scary, and some threats are justified, but acting like this is a brave new world real

1. Wait for US energy companies to use a cost-effective manufacturing solution (in China). Hijack trade secrets and hire away skilled workers.2. Produce a few years worth of product.3. "Dump" product for less than it cost to make, bankrupting the US based competition.4. Profit from stockpile of product that can now be sold with little competition.

At the risk of giving them more ideas, wouldn't it be simpler to uninstall and erase all traces? Maybe also defrag hard disk on the way out. Corrupted PCs are all but guaranteed to attract attention of IT, who have much greater chance to detect intrusion than your average user.

The point is probably to cause mayhem by corrupting the systems. It may be targeted, but it doesn't look nearly as targeted as Flame was. It sounds like they just want to cause wanton destruction and chaos by disrupting the target's computer systems, which in some cases is as effective as any subtle attack.

My guess; A security guy in the energy industry got bored of his manager refusing to pay for anything other than audits saying "your security is great". This is his way of getting some action. A hero perhaps? If so I hope he knows how not to get caught...

Alternatively, an unsubtle message from the Iranians to the effect of "you have more to lose than we do"?

The reality is they are not all that destructive unless you can sneak them onto a computer manufacturer. Those viruses became futile because of course they inherently destroy themselves and spread is very limited. Usually they are left behind after a system has been cracked to cover up the trail. Of course they could also be used to hide other things being done ie computer crashes, get repaired, the blatant virus cleaned off and everyone thinks they are safe but they have actually missed a critical back do

I remember trying to get users at a local Amiga user group to dial in to my BBS, and many of them said at the time "No, I don't connect to a BBS 'cause I might get a virus".

I bet those same people were the first ones on the internet however, and are still running their Windows 2000 PC connected directly to the cable modem...

Ah, the good old days, when Virii were destructive. But now, with 500GB HD's being the norm, they get to be even MORE destructive. I mean, loosing a floppy with at most 800k of data on it was one thing, but a 500GB HD? Yowza, I can't wait to hear the screams.

Which ones?It seems to be targeted against specific companies. There's a rumor that Saudi Aramco is one of them.The set of target companies should give us a very good idea of the purpose. Economic? Political?

According to the linked article (which apparently you didn't read): "The researchers have not said which company has been the target of Shamoon attacks, but it is widely speculated that it could be Saudi Aramco"

Indeed... they would have injected rm -rf/. or even dd if=/dev/zero of=/dev/sda bs=1M otherwise.

Obviously, they were targeting specific machines, and those machines happened to run Windows. Phishing for escalation and destroying drives in such a brazen way is going to work on whatever system they target. Of course, why the energy companies are running Windows instead of something more unixy is a puzzler in itself.